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0 Method of software protection. 



® A cryptographic method for discouraging the copying 
and sharing of purchased software programs allows an en- 
crypted program to be mn on only a designated computer or, 
atemativBly. to be run on any computer but only by the user 
possesang a deagnated smart card. Each program offering 
sow by the software vendor is encrypted with a unique file 
key and then written on a diskette. A user who purchases a 
cfiskette having written thereon an encrypted program must 
first obtain a secret password from the software vendor. This 
password will alkTw the encrypted program to be recovered at 
a prescribed, designated computer having a property imple- 
mented and initialised encryption feature. The encryption fea- 
ture decrypts the file key of the program from the password, 
and when the encrypted program is loaded at the proper 
computer, the program or a portion of It is automatically 
decrypted and written into a protected menrtory from which it 
can only be executed and not accessed for non-execution 

SpiAposes. In attemative embodiments, the user is not con- 
fined to a prescribed, designated computer but may use the 
program on other, different computers with a smart card 
gprovkJed the computers have a properly implemented arxJ 
J2 initialised encryption feature that accepts the smart card. As a 
further modification, the cryptographic facility may suwxxt 
operations that enable the user to encrypt and decrypt user 
OJflenerated files and/or user generated programa 
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METHOD OF SOFTWARE PROTECTION 



This invention is directed to methods of software pro- 
tection and, more particularly to a cryptographic method for 
discouraging the copying and Glaring of purchased software 
progranns by allowing an encrypted program to t)e run on 
only a designated computer or. alternatively, to be mn on 
any computer but only by the user possessing a designated 
smart card. 

With the proliferation of so-called micro computers or 
personal computers^ there has been an explosion in the 
writing and publishing of software for these computers. The 
investment in time and capital in the development of a good 
software program can be substantial, and in order to recoup 
this investment, the authors, copyright owners and/or pub- 
lishers must rely on royalties and the amortization of costs 
produced by the ssde of the programs. Since programs are 
generally distributed on inexpwiave floppy diskettes, the 
end user often does not appreciate the substantial costs in 
the production of the programs. Moreover, the disk operat- 
ing systems of most micro computers feature a disk copy 
utility which enables the end user to easily make back up 
copies of program diskettea The result has been misuse of 
the utility to make unauthorised copies. For example, two or 
more potential end users desiring a program may pool tar 
resources and buy one copy of the program and then 
duplicate both the program diskette and the copyrighted 
manual that accompanies the program diskette. As another 
example, a small business having several micro computers 
may buy a single copy of a program and then duplicate tfie 
program diskette and manual in order to distribute oop\es to 
each mtero computer station in the company. Both of these 
examples are clear violations of the copyright laws, but 
searching out the prosecuting violators is often impossible. 
The net result is a substantial loss of revenues to software 
authora and publishers. These revenues are needed in 
order to finance the devetopmem of new and improved 
software programs as well as to provide a reasonable profit 
to those who produced the progranrw that are copied with- 
out authorisation. 

The problem of unauthorised copying and use of pro- 
grams has been addressed by the prior art US-A- 
4,120,030 to Johnstone discloses a computer software 
security system wherein the data address portions of a set 
computer instructions are scrambled in accordance wrth a 
predetermined cipher key before the instructions are loaded 
Into an instruction memory. The data rnvcrfved in the pro- 
gram is loaded into a separate data memory at the ad- 
dres^s specified in the originals unscrambled program. An 
unscrambier circuit, which operatas in accordance with the 
cipher key, is coupled in series with the data memory 
address input conductors. 

US-A-4, 168,396 to Best discloses a microprocessor 
for executing computer programs whch have been enci- 
phered during manufacture to deter the execution of the 
programs in unauthorised computers. US-A-4,278,a37 to 
Best disctoses a crypto-micrc^xocessor chip that uses a 
unique cipher key or tables for deciphering a program so 
that a program that can be executed in one such chip 
cannot be run m any other microprocessor. US-A- 
4.433,207 to Best disckises an integrated circuit decoder 
for providing micro computer users with access to several 
proprietary programs that have been distributed to users in 
cipher. The decoder chip can decipher a progrem if an 
enciphered key called a "permit code" is presented to tfie 
decode chip. 



US-A-4.446.519 to Thomas disctoses a method for 
providing security for computer software by providing each 
purchaser of a software package with an electronic security 
device which must be operatively connected to the pur- 

5 chaser's computer. The software sends coded interrogation 
signals to the electronic security device which processes 
the interrogation signals and transmits coded response sig- 
nals to the software. The programs will not be executed 
unless the software recognises the response signals accord- 

10 ing to preselected security criteria 

The various schemes disclosed by these patents re- 
quire specialised and dedicated hardware for accomplishtng 
the security feature. Generally, these schemes are cum- 
bersome and expensive to implement and therefore not 

15 commerctaSy acceptable. What is needed is a software 
protectbn scheme which is simple and inexpensive to im- 
plement, avokfing, in its simpler fomris. the need for 
specialised and dedicated hardware, but still able to be 
extended by the use of additional hardware and which is 

20 attractive to a large number of diverse software publishing 
houses. 

Therefor, according to the present invention, there is 
provided, as the core method, a method of software protec- 
' tion comprising the steps of encrypting each protected pro- 

25 gram of a program offering for sale or lease with a uniqae 
file key arKt writing the encrypted program on a storage 
medium as a program file, providing a computer having a 
protected memory and a cryptographic facility, with a secrer 
unique cryptographc key kJentifier, providing a 

30 purchaser/lessee of the storage medium containing the en- 
crypted program with a secret password unique to the 
particular program and saki cryptographic key identifier, 
whereby, when sakf medium is loaded into said computer 
and said secret password is entered thereinto, said program 

35 becomes executable alter at least a portksn of the program 
has been decrypted in s^d cryptographic facility as a 
function of sakt secret password. 

Such a software pratectk)n scheme is inexpensive to 
implement and is essentially transparent to the end user so 

40 that it does not detract from the oommercidi appeal of the 
software program. It can be anranged to allow copying of 
program diskettes to a hard disk or for purposes of making 
backup copies yet limit the simultaneous beneficial use of 
nruiltiple copies to one or more designated computers or, 

45 attemativety* limit the use to one unique, non-reproducible 
and portable device or. alternatively, to be run on any 
computer but only by the user possessing a designated 
smart card. 

Put another way, ideally in this arrangement, each 
so program offering sold by a software vendor is encrypted 
with a unkiue file key and then written on the disketta A 
user who purchases a diskette containing an encrypted 
program must first obtain a secret password from the soft- 
ware vendor. This password will alkjw the encrypted pro- 
65 gram to be recovered at a prescribed, designated computer 
having a property implemented and initialised encryption 
feature which may be stored in Read Only fvlemory (ROhrt). 
for example. As part of an initialisation process, when tiie 
pregram is first loaded, it polls the user to input the pass- 
so word. The password is written by the program in the header 
reconj of the file, and once written in the header record, the 
program will rmt prompt the user to input his or her pass- 
word on subsequent uses of the program. When the dis- 
kette is toaded at the proper computer, the encrypted pro- 
65 gram or a controlling portion of it is automatically decrypted 
and written into a protected memory from whk:h it can only 
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be executed and not accessed for non-executon purposes. 
In an alternative embcxJiment. the user is not confined to a 
prescribed, designated computer but may use the program 
on other, different computers provided that such computers 
incorporate a smart card. A smart card as defined herein is 
one having a crypto capability, typically implemented by 
incorporating a micro-circuit on the card. The smart card is 
issued to the user when the user purchases a computer. 
The OTart card is preinitialised by the computer manufac- 
turer with a secret parameter unique to that card The 
procedure is similar except that in this case, the password 
used in conjunction with the smart card allows the user to 
decrypt and execute the program on any computer having a 
property imptememed and initialised encryption feature. The 
snart card emtxDdlment can be further modified to allow 
portability with a combination of both a Public Key (PK) 
algorithm and the Data Encryption Standard (DES) algo- 
rithm. In this case, the designated public registry (key 
distribution centre) additionally personalises the card with 
the public key of the computer manufacturer as well as a 
unique secret card key (the DES key). When a customer 
buys software, the customer automatically obtains a per- 
sonalised intelligent secure card (smart card). Each different 
program recorded on the diskette is encrypted under a 
different file key designated by the supplier of the software. 
The customer then obtains an authorisatbn number and 
password from the software vendor, as before. The pass- 
word is written in the head^ of the file on the disketta The 
computer is also personalised with a unique key pair, a 
public computer key and a secret computer key. However, 
the public computer key is first decrypted under the secret 
key of the computer manufacturer and stoned in the com- 
puter in that form. When the program diskette is used, there 
is a handshake protocol between the smart card and the 
computer whteh, in effect, recovers the file key and enci- 
phers it urvder the puWk; key of the computer. This protocol 
is such that the handshake will work only at a suitabte 
computer with a public key algorithm and a property in- 
stafied key pain i.e, a secret computer key and a public 
computer key decrypted under the secret key of the des- 
ignated public registry. The advant^ to this approach is 
that the file key can be encrypted using a pubik: key. and it 
is not necessary for a untversal secret DES key to be 
stored on each smart card. The protocol for password 
generation and distribution is unaffected by the modification 
to the intemal protocol; i.a. it is the same for the DES only 
smart card as for the DES/PK smart card. 

The present invention will be described further, by way 
of example, with reference to embodiments therBof, as 
iiustrated in the accompanying drawings, in which:- 

Figure 7 ts a block diagram of an overview of one form of 
system according to the rnventkin. which does not invohre 
the use of a smart card; 

Figure 2 is an illustration of a program diskette format 
compatible with the system of Figure l; 

Figure 3 ts a ftow diagram illustrating the password genara- 
tnn key nr^nagement associated with the system of Figure 
i; 

Figure 4 is a flow diagram illustrating the operation of the 
computer cryptographk; facility key management associated 
with the system of Figure 1; 

f^tgure 5 is a ttock diagram of an overview of another form 
of system according to the invention whch uses a smart 



card; 

Figure 6 is a flow diagram illustrating the password genera- 
tion key management associated with the system of Figure 
5 5; 

Figure 7 is an illustration of a program diskette format 
compatible with the system of Figure 5; 

fO Figure 8 is a flow diagram illustrating the operation of the 
computer cryptographic facility key management associated 
with the system of Figure 5 and using the DES algorithm; 

Figure 9 is a flow diagram illustrating the operation of the 
T6 smart card using the DES algorithm; 

Figure 10 is a ftow diagram illustrating the generation of 
program diskettes by a software vendor; 

20 Figure 11 is a Hock diagram of the components intemal to 
a computer which incorporates the cryptographs facility 
required in the practice of the present invention; 

Figure 12 is a block diagram showing the basic components 
25 of a smart card usable in some embodimenls of the inven- 
tion; 

Figure 13 is a flow diagram illustrating the operation of the 
computer cryptographk; facility key managen^ent with the 
30 smart card using the DES/PK algorithm; 

Figure 14 is a fkjw diagram illustrating the operation of the 
smart card using the DES/PK algorithm; 

35 Figure 15 is a ftow diagram illustrating a first operation of 
the cryptographk: faciiity which derives a file key from user 
input parameters; 

Figure 16 is a fkw diagram illustrating a second operation 
^ of the cryptographk; facility which causes a random number 
to be generated; 

Figure 17 is a fk3w digram Ulustrating a third operation of 
the cryptograph^ facility whteh uses a password from a 
45 smart card and a random numtier to derive a file key to 
decrypt a program; 

Figure 18 is a ftow diagram illustrating a fourth operation, 
amilar to the first of the cryptographic facility for generating 
50 a file key using a different algorithmk; procedure than used 
in the first operation; 

Figure 19 is a ftow diagram illustrating a fifth operation, 
similar to the second, of the cryptographk: facility for gen- 
55 erating a file key using the same algorithmic pnocedure as 
used in the forth operatton; 

Figure 20 is a ftow diagram illustrating a sixth operation of 
the cryptographk: faciiity for generating a file key from user 
GO input parameters for encrypting data; and 

Figure 21 is a flow diagram illustrating a seventh operatton 
of the cryptographk: facility which accepts a password from 
a smart card for generating a file key for encrypting data 

65 
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In the description which follows, the notations "e" and 
"d** are used to denote encrypted and decrypted, respec- 
tively. For example. "ePKUKF)" means the key KF is 
encrypted under the key PKt Similarly. "dSKulRKt)" 
means the key PKt is decrypted urxJer the key SKu. Also, 
the term "personal computer" is intended to cover so-called 
•*smart terminals" which may include personal computers 
connected to a main frame computer in the network. 

Refening now to the drawings and more partrcularty to 
Figure 1. there is shown an overview of the first emliodi- 
ment of the invention. The system accordir>g to this embodi- 
ment comprises a personal computer 10 having a crypto 
protected storage facility 101. Each program offering 12 
sold by the softw£DB vendor is encrypted with a unique file 
key, KF. and then written on the diskette. The format of the 
diskette is generally shown in Figure 2. One type of cryp- 
tographic method that may be used is a cipher block 
chaining technique which requires an initialising vector. If 
desired, different initialising vectors using the same file key, 
KF, can be used to encrypt the same program written on 
different diskettes. This ensures that different cipher text is 
produced for each diskette and prevents differences in the 
plain text from being observed by comparing the corre- 
sponding cipher text The initialising vector is written in the 
header record on the diskette. 

A user, who purchases a diskette containing an en- 
crypted program, must first obtain a secret password from 
the software vendor. This password will allow the encrypted 
program to be recovered at the prescribed, designated 
personal computer 10 having, a property imptemented and 
initialised encryption feature. The secret password allows 
the particular program to be decrypted, and thus executed, 
only on a particular personal computer. This secret pass- 
word is unKiue to the particular program and computer 
where it is to be recovered and executed. The password 
will not alkiw other encrypted programs to be recovered on 
that computer, nor will it alkw that same encrypted progfam 
to be recovered on a drfferem computer. Optionally, the 
user could be given a second password that woukJ allow 
the encrypted program to be recovered on a designated 
backup computer. Except for the backup computer, the user 
woukJ ordinarily be expected to pay an extra fee for each 
additional password that wouki alkiw the encrypted program 
to be recovered on a different computer. 

Each diskette has a unique serial number written on 
the dinette envelope or outer cover (not shown) and visible 
to the user. As shown in Figure 2. this serial number is also 
recorded in the header record of the diskette. Also recorded 
in the header of the diskette is the program number. In the 
specific example shown in the figure, the program number is 
"12- and the serial numb©' or diskette number is "3456". 
A multi-digit authorisation number is obtained by encrypting 
the program number and diskette serial number, concat- 
enated together* under a secret cryptographic key available 
to and known only by the software vendor. An n-bit portion 
of the authorisatk)n number is also written on the dtskete 
envek)pe except that it is covered by a thin metallic film 
much like that used by the instant lotteries to hide numbers 
on lottery cards. Where n is equal to 16. for exannple. there 
are 65,536 possible numbers for the portk)n of the 
authorisation number written on the diskette envelope and 
therefore, one would have only a chance of one in 65,536 
of acddently guessing a correct number written on the 
diskette envelope. 

When a password is requested, an authorisation num- 
ber of reference is generated in the same manner as that 
for generating the authorisatton number. For each password 
mitialty issued, a record is made in a data base that this is a 



first use of the authorisation number of reference in the 
process of issuing the password to a requesting user, and a 
record is also made of the password which is issued. 
Therefore, for each request of a password, a first use check 
S is made to determine whether the auttiorisation numt>er of 
reference has been previously used for generating the pass- 
word. 

The procedure is illustrated in Figure 3. After purchas- 
ing a diskette, the user places a telephone call to the 

10 software vendor. It is assumed that the user will not accept 
a diskette whose authorisation number has been exposed. 
i.e. where the metallic film has been scratched off. The 
customer provides the software vendor with the program 
number, the n-bit portion of the authorisation number, the 

75 diskette serial number, and the computer number. Each 
computer 10 has a unique identification or number that is 
provided on the cover, for example, by a press-on label 
visible to the user. This identification or number is asso- 
ciatBd with the secret key of the crypto facility of the 

20 computer. The program number and the dinette serial 
number are loaded into register 20. Recall that for the 
specific example shown in Figure 2. these numbers are 
"12" and "3456'*, respectively. Then in block 21, the 
software vendor amply encrypts the provided program num- 

25 ber and diskette serial numt>er. concatenated together, with 
a special secret key, SK. used only to generate multi-digit 
authorisation numbers. The n-bit portion of tt>e authorisation 
numbers written on the diskettes are produced with the 
same encryption technique. The multi-digit authorisation 

30 number or reference is first checked in the software ven- 
dor's database to determine if the authorisatk>n number has 
been used before. Alternatively, the software vendor could 
perfonn this check using the program number and diskette 
serial number. In this case, the software vendor simply 

35 records the program number and diskette serial number in 
his data base whenever a password has been issued for 
those numbers. If the authorisation number or the program 
number and diskette serial number have been used before, 
the software vendor knows that a password has been 

40 issued for that program number and diskette serial number 
and that this password has tmen recorded in his data base. 
In that case, the password is retrieved and reissued to the 
caller. This process is represented by bkx:k 22 in Figure 3. 
On the other hand, if the result of this prcx:ess indicates a 

45 first use. then in block 24 the designated n-t»t portion of the 
authorisation number of reference produced m block 21 is 
compared with the n-bit portion of the authorisation number 
provkJed by the caller. If a match is obtained, the software 
vendor generates a special password that will allow the 

60 encrypted program to be decrypted and executed at the 
designated computer. To accomplish this, the software ven- 
dor forwards an electronic message to the key distribution 
centre 14, passing the program number, diskette serial 
number and computer number. The key distribution centra 

55 14 encrypts the computer number with a key. KT, in 
wicryption block 26 to produce an encryption key,eKT{TR), 
unique to that particular computer. Alternatively, the key 
eKT(TR) could be obtained from a table of stored keys. The 
program number and the diskette serial numtter in register 

60 28 are then erx:rypted in encryption block 30 with the key 
eKTfTR) to produce a cryptographic key unique to the 
program and computer. In the example illustrated, this cryp- 
tographic key is eKT(PG 123455). The key distribution cen- 
tre 14 then returns the cryptographic key to the software 

65 vendor. To further enhance the security of the system, 
encryption can be used between the software vendor and 
the key distribution centre to protect the secrecy of the 
cryptographic key. 
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Meanwhile, the software vendor has obtained from its 
database the file key. KF. correspondrng to the program 
number provided tyy the caller as indicated by table 32. 

The key KF is then encrypted in encryption Wock 34 
with the cryptographic key returned by the key distribution 
centre 14 to generate the requested password. The gen- 
erated password is then given to the caller. Passwords may 
be, for example. 64-bits tong and therefore cannot be 
guessed or derived from other information available to the 
caller. As a last step, the sofhware vendor now makes a 
record in his data bass that this is the first use of the 
authorisation number of reference in the pnocess of issuing 
the password to a requesting user, and he also records the 
calculated password in his data base. 

As part of the initialisation process, when the program 
is toaded in the computer 10, it pdls the user to input the 
password. The password is written by the program in the 
header record of the file as shown in Figure 2, and once 
written, the program will not prompt the user to input his or 
her password on subsequent uses of that program. For 
axampla, a protocol couW operate such that the computer 
siways reads the header of the diskette looking for a 
recorded password. If no password is found, it prompts the 
user to enter the password and then writes the password in 
the header. If the password is found in the header, the 
computer uses this password in lieu of prompting the user 
to enter a password. The user could also be provided with 
an override to enter the password in case the password 
recorded in the header fails to produce the correct file key. 
KF; i.a, the encrypted file is not recovered properly with the 
recovered key KF. Note that from the sofhvare vendor's 
viewpoint the passworti need not be kept secret since it 
does rx« unkick other encrypted programs. 

Optionally, the procedure for issuing passwords at the 
software vendor couW be fully automated by using a voice 
answer back system in conjunction with a multi-frequency 
tone input For example, the caller wouW be prompted to 
enter the appropriate numbers using tfie multi-fraquency 
tone keyboard on a telephone, and these numbers wouW be 
repeated to the user for verification. If a proper authorisation 
number is givea an electrons message is sent to the key 
cfistrilxrtion centre 14 to obtain the necessary cryptographic 
key. This message is used to cakailate the password which, 
in turn, is repeated to the caller using the automated voice 
system. The process of obtaining the password from the 
software vendor couW be automated still further by initialing 
a communcatkms session between an initialisation program 
in the personal computer 10 and a password distribution 
program kx^ted in the cwnputer system of the software 
vendor. In this case, the user woukJ call the 800-number 
end initiate the session. The program numt}er and diskette 
serial number couW be read from the header record of the 
diskette where they have been written by the software 
vendor. The computer number could be stored within the 
system arKl provided automatically alsa The user would be 
prompted at the appropriate point in the session to enter the 
authorisatton number through the keyboard. The obtained 
password wouW be written automatically to the header 
reccyd of the diskette file. 

If necessary, the user can contact the software vendor 
at any later time to re-receive his or her password. To do 
this, he supplies onty the program number and diskette 
serial number, which is enough information to alkwr the 
software vendor to determine that a password has Q^maOy 
been issued for that pair of numbers and to recover the 
password value whicm has been recorded provkjusly in his 
data base. In essence, the caller is given an already cal- 



culated password for any program number and diskette 
serial number in the vendor's database. This option does 
not weaken tfte system but merely makes it more usable by 
end users. 

5 When the diskette is loaded at the proper computer 1 0, 

the encrypted program or a portion of it is automatically 
decrypted and written into a protected memory I0i from 
which it can only be executed and not accessed for non- 
-execution purposes. This is shown in Figure 4 where the 
10 cryptographic facility 101 of computer 10 reads password, 
program number and diskette serial number from the file 
header. The program number and diskette serial number 
concatenated together are encrypted in encryptkxi btock 
103 with ttie encryption key for that particular computer to 
75 produce a decryptk>n key which is used in decryption btock 
105 to decrypt the password and produce the secret file 
key. KF, that is used in decrypting the program or a portkxi 
of the program. The procedure used is the Data Encryption 
Standard (DES). Note that only the designated computer is 
20 capable of generating the decryption key what will produce 
the file key, KF. 

Turning now to Figure 5, there is shown an altennative 
embodiment whk:h is an extenskxi of the first to allow 
portability of an encrypted program by rDeans of a smart 
25 card 16. In this emtxxJimerrt, when the user purchases a 
computer, the user is also issued with a smart card 16 that 
is pre-inttialtsed by the computer manufacturer with a secret 
parameter unk|ue to that card. A user, who purchases a 
diskette containing an encrypted program, also obtains a 
30 secret password from the software vendor as before, except 
here, the password is used in conjunctran with the smart 
card to alkw the user to decrypt and execute the program 
on any perscral computer having a property implemented 
and initialised encryption feature. 
35 The process is illustrated in Figure 6. To obtain tfre 

secret password, in this case, the user provides the smart 
card numt)er rather than the computer number. Each smart 
card has a urtique kientificatton or card number that can be 
read by the user. If the authorisation number is valid and 
40 another request has not been made for that program num- 
ber and diskette serial number as indicated by the compare 
blocks 22 and 24, the software vendor generates a special 
password that will alkw the encrypted program to t»e de- 
crypted at any personal computer with a valid encryption 
45 feature when used with that smart card. Again, the software 
vendor obtains a uriique cryptographic key from the key 
distribution centre 14 which is used in conjunction with the 
secret fite key to generate the requested password, fn this 
case, the key distribution centre 14 is owned, controllad or 
50 established under the direction of the computer manufac- 
turer and uses the card number to obtain a corre^nding 
card encryption key, KP, from table 27. Alternativeiy. the 
key KP can be generated from a secret key betonging to 
the key distributkin centre in a similar manner as the eKT- 
55 <TR) keys are generated using secret key KT as shown in 
Figure 3. This encryption key is then used to encrypt the 
program number arKJ diskette serial number in encryption 
block 30 to produce the cryptographk: key that is returned 
to the sofhware vendor. As before, the security of the 
60 system can be enhanced by using encryption between the 
key distribution centre and the software vendor to protea 
the secrecy of the communicated keys. Otherwise, the 
protocol is the same as that for the first embodiment The 
password is written in the header record of the diskette as 
65 illustrated in Figure 7. The same options are availatsle for 
automating the process at the software vendor. Likewise, an 
tnitialtsation program in the personal computer 10 can b& 
used to automatk:ally obtain the password from the software 
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vendor, except here the smart card number must be en- 
tered instead of the computer number. The smart card 
number could be read from the smart card or from a 
location in the computer where tt had been previously 
stored. 5 

When the diskette is loaded at any authorised com- 
puter and the smart card 16 has been inserted into a proper 
reader device allowing the card and computer to carry on 
an electronic dialogue, the encrypted program is automati- 
cally decrypted and written into the protected menrary 101 io 
from which it can only be executed. More specifically, as 
^howt\ in Figures 8 and 9, the computer 10 reads the 
program number, diskette serial number and password from 
the file header and passes these with its computer number 
to the smart card 16, In the man card 16. the computer 75 
number is encrypted in encryption block 161 with a univer- 
sal key, KT stored on every smart card. The program 
numt)er and diskette serial number are encrypted in encryp- 
tion block 162 with a key KP which is unique to and stored 
in the smart card. The output of encryptwn block 162 is a 20 
decryptbn key that is used by decryption block 163 to 
decrypt the password to produce the secret file key, KF. 

Meanwhile, the cryptographic facility 101 of computer 
10 produces a random number T using a random number 
generator 107 or the system dock. As part of the intenrial 25 
protocol interchange between the computer 10 and the 
smart card 16. the random number T is passed to the smart 
card where it is exduave ORed with the fae key, KF. The 
resulting output is encrypted in encryption block 164 with 
the output of encryption bfock 161 to produce a computer 30 
password that is then passed back to the computer. This 
computer passwonJ is then decrypted in decryption block 
109 using a key unique to the computer. The output of 
decryption block 109 Is exclusive ORed with the random 
number T to produce the secret file key. KF. Note that 35 
passwords generated by the card are time variant If inter- 
cepted and replayed back into the computer at a later time, 
they will not allow another copy of the encrypted program 
on a different diskette to be decrypted and executed. 

Figure 10 shows the process of generation of program 40 
diskettes. First a dear diskette 36 oontainir^ the program is 
supplied by the software vendor to the software distributer. 
The software distritHJter then encrypts the program in en- 
cryptwn block 38 using a key KF to produce and encrypted 
diskette 40. The key KF could be common to a program or 45 
unique for each diskette. The encrypted diskette is then 
copied with a disk copier 42 to produce encrypted diskettes 
44 for sale to users. Obviousty. in the process illustrated, 
the software distributer and the software vendor coukJ be 
one and the same. so 

Figure 11 shows the cryptographic facility 101 In the 
personal computer 10. The cryptographic tadlity is a secure 
implementation containing' the Data Encryption Standard - 
(DES) algorithm and stDrsge for a small number of secret 
keys. It can be accessed k)gica!ly only through inviolate 55 
interfaces secure against intrusion, circumventk)n and de- 
ception which altows processing requests via a control line, 
key and data parameters to be presented, and transformed 
output to be received. The cryptographic facility comprises 
a ROM, such as an EAPROM (Electronically Alterable and 60 
Programmatrfe Read Only Memory). 113 that contains the 
computer key. Additional ROM 114 contains programs for 
key management sequence generators and disk loader. 
Additional Random Access Memory (RAM) lis contains a 
parameter output buffer, a parameter input buffer, intermedi- 65 
ate stcrage for parametro. data and keys, and additional 



storage for the decrypted programs. The RAM 115 is the 
protected memory of the cryptographic fadlity 101, and 
decrypted programs stored here can only be executed and 
not accessed for non-execution purposes. 

Figure 12 shows the basic components of a sman card 
used in certain embodiments of the invention. The smart 
card must contain a microprocessor chip 165 for executing 
the crypto algorithm. Further, the card is provided with 
memory for storing the key KP and card numljer. The key 
KP. which is unique to the card and kept secret is stored in 
private memory 166, white the canj number is stored in 
public nriennory 167. Power for the microprocessor chip and 
supporting menwries is derived from the computer 10. 

The described protocol allows other software vendors 
to mari(et encrypted programs that will operate with a 
personal computer or with a personal computer and smart 
card with no kiss of security to protected software or the 
eecret keys or parameters that support the system. To 
interface to the system, it is only necessary for the software 
vendor to fbnward an electronic message to the key distribu- 
tion centre, passing the program number and computer 
number or, in the case of an implementation supportir^ 
smart cards, passing the program number and smart card 
number. The key distribution centre returns a cryptographc 
key unique to the program number and computer numb^ or 
smart card number whk:h the software vendor used in 
conjunction with the secret file key under whteh the program 
has been encrypted to generate the required password. To 
ensure that the same key is not produced by two different 
software vendors who have two different programs with 
identical program numbers, the protocol can be modified 
sligmty by assigning a unique two or three digit code 
number to each software vendor and then merely redefining 
the program number to consist of the software vendor code 
number foltowed by the software verKtor defined program 
number, Le. by as many digits as are necessary to distin- 
guish different programs offered by that software vendor. 
Thus, the program number and diskette serial number used 
in calculatians is replaced by vendor number, program 
number and diskette serial number. 

Referring now to F^ures 13 arxJ 14, as already alluded 
to, the second emtxxfiment of the invention using ttie smart 
card can be extended using a public key algorithm. More 
specifically, a public key (PK) ^orithm is also installed in 
the smart card arid computer in addrton to the DES al- 
gorithra The advantage of doing this is that the protocols 
for the three techniques are very similar. Introduction of the 
PK algorithm does not affect the password 
generatton/distribution process described with reference to 
F^re 6. In this embodiment the nnain advantage of the PK 
algorithm is achieved, namely that a universal secret key 
need not be stored on the smart card. The card manufac- 
turer personalises the card with the key KP. The manufac- 
turer also personalises the card with PKu. the public key of 
the registry. When a customer buys software, s/he auto- 
matically gets a personalised smart card. Each different 
program recorded on a diskette is encrypted under a dif- 
ferent file key, KF, designated by the supplier of the soft- 
ware. When a customer buys a program on a diskette, the 
customer mails a proof of purchase coupon to the vendor 
atong with his or her name and the serial number from his 
or her smart card. In lieu of this, the proof of purchase 
coupon contains an authorisation number that must be 
scratched dear as previously described. The numbers are 
sparse such that no one could easily guess a number that 
represents a valid authorisation number. The customer calls 
the vendor and asks for a special password to activate his 
or hffl- diskette. This nunntrer is given out only after the proof 
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Of purchase authorisation number has been supptied and 
checked against an active online file to make sure that no 
one has already used the number. If all conditions are 
satisfied, the vendor asks for the customer's card number 
and uses this to access another active online file to obtain 
the key, KP. associated with the smart card as described 
with reference to Figure 6. The vendor then enciphers the 
file key, KF, of the purchased program and gives this 
number to the customer as a password. The customer then 
goes to his or her computer and causes the password to be 
written in the header of the file on the diskette as previously 
described. As shown in Figure 20, the header of the dis- 
kette has stored therein the password eKP(PGl23456(KF) 
where KF is the secret file key of the program. Thus, to this 
point the procedure is similar to that described with respect 
to the snfwrt card/DES only algorithm. 

The computer manufacturer personalises the computer 
with a Lffiique key pair, the computer publk: key. PKt and 
the computer secret key. SKt The computer manufacturer 
has the public key of the computer recorded in a public 
registry. In effect this means that PKt is stored in the form 
dSu(PKt). where SKu is the secret key of the registry and 
PKt is the public key of the computer. This value dSu - 
(PKt) is also stored in the computer. 

To use a diskette at any computer, there is a hand- 
shake protocol used between the smart card 16 and the 
computer lO which, in effect recoverB the file key, KF. from 
erxapterment under the key KP and enctphers it under the 
puWic key, PKt of the comput©'. More specrfteally. the 
publtc key. PKt of the computer lO^ the form dSu(PKt) is 
encrypted m encryption block 161 with the public key of the 
registry, PKu. to produce the pubDc key. PKt of the com- 
puter. The notatk)n dSu (PKtO) means that the public key 
PKt with several redundancy bits (0 bits in ns case) 
concatenated with ft is decrypted under the secret key SKa 
SKu ts the secret key betonging to the computer manufac- 
turer. The redundancy bits are added to the message so 
that upon decryption, one can ensure that no ^rious text 
is decrypted and used as the key PKt Ordinarily, 16 to 64 
ttts of redundancy is enough. As a result of these redun- 
dancy bits, the output of encryption block 161 must be 
checked to ensure that the redundancy bits compare with a 
prestored constant value. If they do. then one can be 
certain that the recovered PKt is the public key of some 
computer manufactured by the computer manufectwer. This 
ensures that an opponent can not get a smart card to use a 
puWic key PKt except one issued by the computer manu- 
tectww. Of course, it will be recognised by those skilled in 
the art that the block with the redundancy bits wifl tyf»caily 
be tonger that the publw key PKu whteh will necessitate 
splitting the block and perfomiing the encryption process 
under PKu using chaining techniques well known in the aa 
The program number read from the diskette is also 
encrypted with the key KP in encryption bkxA 162 to 
generaia the key eKP(PGi23456) whch is used to decrypt 
the encrypted key KF in decryption btock 163. The output 
of decryptk)n bkjck 163 is exclusive ORed with a random 
number T produced by random number generator 107. and 
the result is encrypted in encryption block 164 with the key 
PKt to produce the secret file key, KF. exdusive ORed with 
the random number T encrypted under the public key of the 
computer. PKt This password is passed by the smart cartl 
16 to the cryptographic facility I0i of the conrputer 10 
where it is decrypted in decryption bk)ck t05 using the 
secret key, SKt of the computer and then exdusiva ORed 
with the random number T. The file key. KF. is now in a 
torm that can be used at the computer. The protocol ts 



such that the handshake wiil wori< only at a suitable com- 
puter with a puWc key that has been property recorded in 
the registry, ue. for which PKt has been deciphered under 
the secret key of the registry. 
5 The advantages of the mixed public key and DES 

embodiment are several. No secret universal key needs to 
be stored on the card since all universal keys used in the 
system are public keys. Even if the file key, KF. is discov- 
ered, there is no way for an adversary to cause a clear key 
10 to be accepted by the card. The value T sent from the 
computer prevents an adversary from tapping the interface 
to obtain the encrypted key KF and replaying it into a 
computer. If it were easy to input parameters across the 
interface from a dummy card, such an attack is thwarted by 
75 incorporating the value T. 

The described protocol allows software vendors to 
market encrypted programs that will operate with a particu- 
lar computer and smart card with no loss in security to the 
protected software of a given vendor or the secret keys or 
20 parameters that support the system. To interface to the 
system, it is only necessary for the software vendor to 
fonward an electronic message to the key distribution centre, 
passing the program number and computer number or. in 
the case of an implenDentation supporting smart cards, 
25 passing the program number and smart card number. The 
key distribution centre returns a cryptographic key unique to 
tf>e program number and computer number or smart card 
number. The software vendor uses this cryptographic key in 
conjundran with the secret file key under which the program 
30 has been encrypted to generate the required password. 

The cryptographc facility 101 supports a limited set of 
cryjatographk: operations for key managemem purposes. 
These operations are controlled by seven mkaxxxxle rou- 
tines stored in ROM and initiated by decoding of an opera- 
35 tion code corresponding to a specrfk: operation. The first of 
the seven operations is illustrated in Figure 15 of the 
drawings. With no smart card, the first operatwn is decoded 
in operatkjn control unit 102, and the address tor the 
mferocode is stored in register 104. The fir^ operation 
40 accepts a password Pi and a number P2 representing the 
ooncatenatkw of the program number and diskette serial 
number read from a file header record, and from these input 
parameters, it derives a file key. KF, that is used only by 
the cryptographic factlity to decrypt and encrypted program 
45 for the sole purpose of executing the program. More specifi- 
cally, the program number and diskette serial number, con- 
catenated together, are encrypted under a "burned in" key 
eKT(TR5678) in encryption bkxjk 103 to produce a cipher 
text output C1. Then, the password is decrypted in block 
50 105 using as a key the cipher text Cl produced by block 
103 to produce cipher text C2 representing the file key, KF. 
The user has no access to the file key; i.e. it is kept secret 
With the sman card, the second operation shown in 
Figure 16 causes a random number T to be generated 
55 inskte the cryptographic facility. A special latch 106 in the 
cryptographic facility is also set on as a result of this 
operatioa The value of T is generated by the random 
number generator 107 and stored in a T register 108 in the 
cryptographk: facility and also presented as an output so 
60 that it can be sent to the smart card. In carrying out the 
computer/srriart card together with the parameters Pi - 
(password) and P2 (program number // diskette serial num- 
ber, where // denotes concatenation) and a third parameters 
P3. Where the crypto facility uses the DES algorithm, as 
55 shown in Figures 8 and 9, to encrypt the file key, P3 is the 
computer number. Alternatively, where the crypto facility 
uses the PK algorithm to encrypt the file key, as shown in 
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Figures 13 and 14. P3 represents the concatenation of the 
public key of the computer, PKt. and a non-secret constant 
of sufficient bits which may have a value of zero all decryp- 
ted under the secret key, SKu» of the distribution centra 

Also with the smart card, a third operation shown in 
Figure 17 accepts a password P4 from the man. card 
provided that the latch 106 is set on. Otherwise, the request 
is ignored. Fram the password P4 and the stored random 
number T in register 108, it derives a file key, KF, that is 
used by the cryptographic facility to decrypt an encrypted 
program for the purpose of only executing that pregram. 
The decryption algorithm for deriwng the file key. KF, may 
be DES or may 1% PK. The user has no access to the file 
key. After the latch 106 has been tested, latch 105 is reset 
by operation control unit 102. This ensures that a new 
random number T must be generated before another pass- 
word will be accepted by the cryptographic facility via 
another invocation of the third operation and thus prevents 
old passwords from being played back into the crypto- 
graphic facility. Used together, the second and third oper- 
ations are such that they allow an encrypted program to be 
decrypted and executed at any computer with a simitariy 
installed cryptographic facility supporting those operations. 
The microcode for the third operation proceeds as follows: 
First, latch 106 is tested to see if it is set If nou the 
operation is aborted; othenvise, the latch is reset The 
parameter P4 is then decrypted with the "burned in" key 
KT in decryptbn btock 105 to produce the cipher text 
output Cl. This decryption step is performed with the DES 
algorithm using KT = eKTCTR5878) where only DES is 
available as shown in F^ure 8 or. with the PK algorithm, 
the decryption step is performed using KT = SKt where 
both DES and PK are available as shown in Figure 13. In 
either case, the resulting cipher text C1 is exclusive ORed 
with the random number T stored in register 108 to produce 
the cipher text 02 r^vesenting the file key, KF. 

The register 104 in additbn to storing the address for 
the decoded rrticrocode, has three flags denoted D, E and 
P. Up to this point in the description, the operation of the 
cryptographic facility has be^ to derive the file key that 
can be used to decrypt an encrypted program. As will be 
understood from the folbwing description, tt is also possible 
for a user to use the file key to encrypt data. The flags D, E 
and P are used to control these operations. The D fiag is 
the decryption fiag, and the E flag is the encryption flag. 
The cryptographic operations of encipher and decipher data 
are assumed to be such that a cipher operation will be 
performed only if the E fiag is tested and found to be set for 
an encipher data operation or if the D flag is tested and 
found to be set for a decipher operation. In addition, before 
decrypted data is directed from the cryptographic faciFity, 
the cryptographic facility will test the. P fiag. If the P flag is 
set the decrypted data will be directed to an execute only 
memory in the cryptographic factHty; othenwise, the decryp- 
ted data will be directed to the main memory. Thus, in the 
case of the first and third operatk)ns described above, the 
microcodes for those operations would in addition set the D 
fiag, reset the E flag, and set the P flag. 

In addition to the first three operetions, the crypto- 
graphic facility also supports a limited set of general pur- 
pose cryptographic operations. The first of these, refened to 
as the fourth operation, is similar to the first operation and is 
illustrated in F^ure 18. With no smart card, the fourth 
operation accepts user selected parameters Pi and P2, 
which may be any different arbitrary values selected by the 
user. From these parameters, the fcmrth operation generates 
a file key, KFl, using a drfferem algorithmic procedure than 
that used by the first operation, where KFl is a variant of 



file file key KF. In the fourth operafioa the *'bunned in" key 
eKT{TR5678) is used to encrypt parameter P2 in encryp- 
tion block 103. The output of the encryption block 103 is 
the cipher text CI which is used in decryption block 105 to 

s produce the cipher text 02 represeming KF. KF is then 
exclusive ORed with the non-zero constant, C, to produce 
the variant file key KFl. The key KFl is used only by the 
cryptographic facility to encrypt and decrypt data The en- 
crypted and decrypted data are under the control of and 

70 accessible to the computer user, in this case, the user has 
a limited encrypt and decrypt feature, except that the pro- 
cess is performed under the control of a key unknown to 
the user of the computer. By remembering the parametere 
Pi and P2, the computer user can decrypt ertcrypted data 

75 at any later time on his or her computer, or any other 
computer with a similarly installed cryptographic facility sup- 
porting the second and fifth operations, by issuing the 
second operation to generate a new random number T. The 
computer/smart card protocol passes T, Pi, P2. and P3 to 

20 the smart card to generate P4 as shown in Figure 9 or 
Figure 14. 

Then a fifth operation is called for to cause the cryp- 
tographic facility to recover the key KFl from P4, C and the 
stored random number T. Thus, the user cannot migrate the 

25 encrypted data to another computer arKt decrypt it with the 
same parameters Pi and P2. 

With the smart card, a fifth operation shown in Figure 
19 accepts a passwoitj P4 from the smart card provided 
that the latch 106 is set on. Ofiienvise, file request is 

30 ignored. Fram fiiis parameter P4, the fifth operation gen- 
erates the file key, KFl, using a different algorithmic proce- 
dure than used by the third operation. The password P4 
used in tiie fifth operation is produced by tiie smart card, 
using the DES algorithm procedure shown in Figure 9 or 

35 tfie PK algorithm procedure shown in Figure 14, from 
parameters Pi, P2 and P3 as well as the random numt)er 
T generated by tiie second operation, where PI and P2 are 
user defined parametere and P3 is the computer number 
when the crypto facility uses the DES algorithm to encrypt 

40 KF or P3 is ihe cryptograii^ic variable eSKufPKtO) when 
the crypto facility uses the PK to encrypt KF. Thus, again 
the user has a limited encrypt and decrypt feature, except 
that the process is performed under the control of a key 
unknown to the user of the computer. By remembering the 

45 parameters Pi and P2, the computer user can decrypt 
encrypted data at any later time on his or her computer, or 
any other computer with a simitariy installed cryptographc 
facility supporting the second and fifth operations, by issuing 
the second operation to generate a new random number T. 

50 The computBr/smart card protocol passes T. Pi, P2 and P3 
to the smart card to generate P4 as shown in Figure 9 or 
Figure 14.. Then a fifth operation is called for to cause the 
cryptographic faciiity to recover the key KFl from P4, C 
and the stored random number T. Thus, the user can 

55 nugrate the encrypted data to another computer and decrypt 
it with the sarr»e parameters Pi and P2. Again, the encryp- 
ted and decrypted data are under the control of and acces- 
sible to the computer user. The microcode for the fifth 
operation proceeds as follows: First latch 106 is tested to 

60 see if it is set on. If it is not the operation is aborted: 
othenwise, the latch is reset and the input parameter P4 is 
decrypted in decryption block 105 with the 'burned in** key 
KT. Where only DES is available. KT « eKTfTR5678), but 
where both DES and PK are available.. KT = SKL The 

65 output of the decryption btock 105 is tiie cipher text Ci 
whk:h is exclusive ORed with the random number T stored 
in register 108 to produce the cipher text C2 representi n g 
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KF. KF rs then exclusive ORed with the non-zero constant 
C to produce the variant file key KFi. The microcode then 
sets the D and E flags and resets the P flag in the register 
104. 

With no smart card, a sixth operation shown in Figure 6 
20 accepts a user selected password Pi and a number P2, 
which may be any artitrary values selected by the user, 
and from these numbers, it generates a file key, KF, using 
the same algorithmic procedure as used by the first opera- 
tion. The file key is used only by the cryptographic facility to to 
encrypt data In this case, the user can encrypt his or her 
own data but rwt decrypt it Used in conjunction with the 
first operation, the sixth operation allows a user to encrypt 
his or her own programs and store them on diskette or hard 
disk in protected form. The parameters Pi and P2 can also is 
be written in the header record of the diskette file or disk 
file. Later, the saved values of Pi and P2 are used as input 
parameters with the first operation to decrypt and execute 
programs. Pi and P2 are such that they permit the encryp- 
ted program to be decrypted and executed only at the 20 
computer where the program was originally encrypted, so 
that encrypted programs canrrat be migrated to other com- 
putere and executed. The microcode for the sixth operatkDn 
proceeds as follows: First, the parameter P2 is encrypted in 
oncryptron block 103 with the "burned in" key eKT- 25 
CTR567a) to produce the cipher text Ci. The cipher text CI 
is used m decryption btock 105 to decrypt the parameter Pi 
and produce the cipher text C2 representing the file key, 
KF. The microcode sets the E flag and resets the D and P 
flags in register 104. 

With a smart card, a seventh operation shown in 
Figure 21 accepts a password P4 from the smart card 
provided that the latch 106 is set oa Otherwise, the request 
is ignored. From this it generates a file key. KF. using the 
same algorithmic procedure used by the third operation. 35 
More specifically, the microcode decrypts the input param- 
eter P4 in decryption block 105 with the "burned in" key 
KT to produce the cipher text Cl. With the DBS algorithm 
akjne. KT = eKT(TR5678) Is used, or with a PK algorithm, 
KT » SKt The cipher text is then exclusive ORed with the 40 
random number T stored in register 108 to produce the 
cipher text C2 representing the file key, KF. The microcode 



for the seventh operation also sets the E flag and resets the 
D and P flags in the register 104. In the seventh operation, 
the key KF is used only by the cryptographic facility to 
encrypt data. The user can encrypt his or her own data but 
cannot decrypt it The password P4 used in the seventh 
operation is produced by the smart card, using the DES 
algorithm procedure shown in Figure 9 or the PK algorithm 
procedure shown in Figure 14, from the parameters Pi. P2 
and P3 as well as the random number T generated by the 
second operation. Pi and P2 are user defined parameters. 
Where the crypto facility uses the DES algorithm, as shown 
in Figures 8 and 9. to encrypt the file key, P3 is the 
computer number. Altematively. where the crypto facility 
uses the PK algorithm to encrypt the file key. as shown in 
Figures 13 and 14. P3 represents the concatenation of the 
public key of the computer, PKt. and a nonsecret constant 
of sufficient bits which may have a value of zero all decryp- 
ted under me secret key, SKu, of the distribution centre. 
Used in conjunction with the second operation, the seventh 
operation altows the user to encrypt his or her own pro- 
grams and store them on a diskette or hard disk in pro- 
tected form. The parameters P1 and P2 can also be written 
in the header record of the diskette or disk file. Later, the 
computer user can decrypt and execute the program on his 
or her computer, or any other computer with a similarty 
installed cryptographic facility supporting the second and 
third operations, by issuing the second operation to produce 
a new random number T, passing parameters Pi. P2, P3. 
and T to the smart card and requesting a new value of P4, 
and issuing the third oper^n to recover the file key KF in 
the cryptographic facility from the parameter P4 and the 
stored random number T. Thus, the paranteters P1 and P2 
are such that they permit an encrypted program to be 
decrypted and executed at other computers supportir>g the 
second and third operations. Because the seventh operation 
does not allow decryption under the recovered key KF, it 
cannot be misused by a user to decrypt an encrypted 
program purchased in tt>e usual manner. 

Summarising, the procedures that are available to a 
user of a computer with a cryptographic facility that sup- 
ports the seven operations just described are listed in the 
table below: 
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DES Only, No Smart Card 
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Operations 



1. Program Decryption-Execution 

2. File Encryption/Decryption 

3. Program Encryption 



OPl 



0P6 



0P4 



DES Only, With Smart Card 



1. Program Deciryption-Execution 0P2/ 0P3 

2. File Encryption/lDecryption 

3. Program Encryption 0P2, 0P7 



0P2, OPS 



DES/PK, With Smart Card 



!• Program Decryption-Execution 0P2, 0P3 

2. File Encryption/Decryption 

3. Program Encryption 0P2, 0P7 



0P2, OPS 



While the invention has been particularfy shown and 
described vwth reference to several prefenred embodiments 
thereof, it will be understood by those skilled in the art that 
several changes in fonm and detail may be made without 
departing from the scope of the accompanying claims. 

Claims 



1. A method of software protection com(»ising the steps of 
encrypting each protected program of a program offering for 
sale or lease with a unique file key and writing the encryp. 
ted program on a storage medium as a program file, provid- 
ing a computer having a protected memory and a cryp- 
tographic facility, with a secret unique cryptographic key 
identifier, providing a punchaseryiessee (hereinafter, simply 
purchaser) of the storage medium containing the encrypted 
program with a secret password unique to the particular 
program and said cryptographic key identifier, whereby, 
when said medium is loaded into sard computer and said 
secret password is entered thereinto, said program be- 
comes executable after at least a portion of the program 
has been decrypted in said cryptographic facility as a 
function of sad secret password. 

2- A method as clamed in claim 1 , wherein, only when the 
program is first loaded in said computer, performrr^ the 
steps of prompting the user for the secret password, and in 
response to the input of the secret password by the user, 
writing the password in the header record of the program 
fila 

3. A method as datmed in daim 1 or claim 2, further 
comprising the step of writing the decrypted program into 
said protected memory from which it can only be executed. 

4. A method as ctaimed in any preceding daim wherein the 
step of providing the secret password is performed by 



30 

providing the purchaser of the storage medium containing 
the encrypted program with an authorisation number and 
identifying the encrypted program with a program number 
and the storage medium with a storage medium number, 

36 requesting the purchaser to input the authorisation number, 
the program number, the storage medium number and a 
number identifying said cryptographic key identifier, comput- 
ing from the inputted program number and storage medium 
number an authorisation number, comparing the computer 

40 authorisation number with the inputted authorisation number, 
providing a key distn*bution centre with the inputted program 
number, storage medium numl)er and the number identifying 
said cryptographic key identifier if the computed and ini:Rrt- 
ted authorisation numbers are the same, othenvise rejecting 

45 a password request by the purchaser, generating a first key 
as a function of said cryptographic key identifier and then 
encrypting the program number and storage medium num- 
ber concatenated together with said first key to produce a 
second key at the key distribution centre, and encrypting 

so the secret file key of the program with said second key to 
produce said password. 

5. A method as daimed in claim 4 further comprising the 
step of determining if the computer authorisation number 
55 has been used before, and if it has not. then performing the 
step of comparing the computed authorisation number with 
the inputted authorisation number, othenwise retjecting a 
password request by the purchaser. 

60 A method as claimed in ciaim 4 or daim 5 wherein the 
step of decrypting at least a portion of the program is 
performed by the steps of reading said password, program 
number and storage medium number from said header 
record, encrypting said program numtyer and storage me- 
ss dium number from said header record. er\crypttr)g said 
program number and storage medium number concatenated 
together with a key which is a function of said secret umque 
cryptographic key identifier to produce a decrypikjn key. 
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decrypting said password with said decryption key to pro- 
duce said secret file key. and decryptir^ the program using 
said secret file key. 

7. A method as claimed in claim i or claim 2, wheran the 5 
step of providing a computer with a secret unique cryp- 
tographic key identifier is performed by the software or 
computer vendor issuing to the purchaser a smart ca/ti 
having said secret unique cryptographic key kientifier, said 
sman card interfacir>g with said computer. io 

a. A method as claimed in claim 7 wherein the step of 
provkJing the secret password Is performed by the steps of 
provttiing the purchaser of the storage medium containing 
the encrypted program with an authorisation number and 75 
(dBptifying the encrypted program with a program number 
and the storage medium with a storage medium number, 
requesting the purchaser to input the authorisatk)n number, 
a number of the smart card,, the program number and the 
storage medium number, computing an authorisation num- 20 
ber from the inputted program number and stor^e medium 
number, comparing the computed authorisation number with 
the inputted authorisation number, and if the computed arxJ 
inputted authorisation numbers are the same, providing a 
key distribution centre with the inputted number of the smart 25 
card, the program number and the storage medium number, 
otherwise reiecting a password request by the purchaser, 
generating a card key corresponding to the inputted canl 
number and then encrypting the program number and stor- ' 
^age medium number concatenated together with said card 30 
"^key to produce an encryption key at the key distribution 
centre, generating a secret file key conBsponding to the 
inputted program number, and encrypting said secret file 
key with said encryption key to produce sakJ passwora 

35 

9. A method as claimed in claim 7 or claim 8, wherein the 
step of decrypting at teast a portton of the program is 
performed by the steps of supplying the smart card with the 
password, program number and storage medium number, 
encrypting in the smart card the program number arKJ 40 
Storage medium number concatenated together with the key 

of the smart card to produce a decryption key, decrypting 
the password with said decryption key to produce the secret, 
fae key. and decrypting in the computer at teast sakj portion 
of the program using the secret file key. 45 

10. A method as claimed in claim 9 further comprising the 
steps of supplying the smart canS with a number identifying 
said cryptographic facility, encrypting in the smart card the 
mmter kientifying said cryptographk: facility with a univer- so 
sal key to produce a computer encryption key, generating in 

the computer a random number and supplying the random 
number to the smaxX card, exclusive ORing in the smart 
card the seaet file key with the random number and 
encrypting the result with said computer encryption key to 55 
produce an encrypted exclusive ORed output, decrypting in 
the computer the encrypted exclusive ORed output with the 
computer encryption key. and exclusive ORing the decryp- 
ted exclusive ORed output with said random number to 
produce the secret file key. 60 

n. A method as claimed in daim 10 wherein the steps of 
encryption in the smart card and decryption in the computer 
are performed using the DES algorithm. 



12. A method as claimed in claim 9 further comprising the 
steps providing the computer with a public key. PKt, de- 
crypted under the secret key of a public registry, and also 
providing said cryptographic facility with a con-esponding 
secret key, SKt providing said smart card with a public key. 
PKu, encrypting in the smart card the computer public key 
decrypted under the secret key of the public registry with 
the card's public key PKu to produce said key PKt gen- 
erating in the computer a random number and supplying the 
random numt)er to the smart card, exclusive ORing in the 
smart card the secret fite key with the random number and 
encrypting the result with said key PKt to produce an 
encrypted exdusive ORed output, decrypting in the com- 
puter the encrypted exclusive ORed output with the key 
SKt and exclusive ORing the decrypted exclusive ORed 
output with sakJ random number to produce the secret file 
key. 

13. A method as ciainr>ed in claim 12 wherein the steps of 
encryption arxl decryption in the smart card and the com- 
puter are pw^ormed by selectively using the DES algorithm 
and a pubik; key algorithm. 

14. A method as claimed in claim 1 wherein said cryp- 
tographic facility supports encryptron and decryption of user 
generated data comprising the steps of accepting a user 
input parameter, and decrypting sakj user input parameter 
under a key which is a function of sakJ secret unkjue 
cryptographic key kientifier to generate a file key tor en- 
crypting and decrypting sakJ user generated data 

15. A method as claimed in claim 14 wherein sakJ input 
parameter is input as a first pararrieter and a second 
parameter, said step of decrypting comprises the steps of 
encrypting said second parameter under said key whk2h 
whrch is a function of sakJ secret unkjue cryptographic key 
identifier to produce a first cipher text and decrypting said 
first parameter using sakl first cipher text to produce a 
second cipher text corresponding to a key KF. 

15. A nwthod as claimed in daim 14 further comprising the 
step of exclusive ORing sakf key KF with a constant to 
produce a key KFI which is used as a file key for encryp- 
tng and decrypting saki user generated data 

16. A method as claimed in daim 14 further comprising the 
steps of generatir^ a random numt>er, and exclusive ORing 
said random number with the decrypted user input param- 
eter to produce a key KF and exclusive ORing sakJ key KF 
with a constant to produce a key KF1 wh«h is used for 
ertcrypting and decrypting user generated data. 

17. A method as claimed in claim 14 wherein said cryp- 
tographic facility supports encryption of user generated data 
comprising tfie steps of encrypting user generated data 
under sakl file key. decrypting user generated data by the 
steps of accepting the user input parameter in the form of a 
first parameter and a second paranr»eler, encrypting said 
second parameter with said key which is a function of said 
secret unkjue cryptographic key identifier to produce a 
decryptkm key, decrypting said first parameter with sakJ 
decryptkm key to produce a key KF related to sakJ file key, 
and decrypting said user generated data using said file key. 
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